Which is more secure, Android or iOS? The answer isn't that simple

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

We love to ask the question, "Which is more secure: iOS or Android?" But if you really want to drive secure mobile productivity you're going to have to start looking at the bigger picture.

The longstanding Android vs. iOS debate is understandable because these mobile OSes power the majority of devices employees bring to work today. But two trends in the mobile world are uprooting the traditional arguing points -- and changing the mobile security landscape overall. They highlight our need for an actionable, multi-layer security approach, not just putting your hope in the OSes of two major mobile players.

Trend one is the advent of beautiful devices that don't utilize Google Mobile Services, or GMS. The Android community embraces experimentation. Indeed, we're seeing much of this innovation extend beyond the Google-controlled version of Android and move into the Android Open Source Platform. At this year's Mobile World Congress, there were many devices that could truly rival the greats like Samsung, LG, HTC, and yes, even Apple. They're slick, beautiful, and have intuitive user experiences. Best part? They don't cost a lot.

But there's a problem here. The mobile industry has by-and-large relied on the safety and reliability of GMS, especially as it comes to app vetting through the Google Play Store. Devices that don't use GMS are not beholden to Google's best practices, and in turn can't benefit from them when it comes to securing the devices and the apps on them. In fact, many of these manufacturers include their own or other third parties' app stores on their devices. The more these economically priced, yet still competitive, devices flow into the market, the more we will see them -- and unvetted apps -- flow into the enterprise via BYOD.

And trend two is enterprises building home grown applications that specifically address their productivity needs. Indeed, "48% of businesses expect to increase their mobile app budgets, with 20% expecting to increase app budgets by more than 10 percent," according to a recent report by CDW.

While Android has always made the distribution of custom enterprise apps easy, Apple, on the other hand, has traditionally run a very tight ship. Users can download from the official Google Play app store, but they can also visit third-party marketplaces, download apps as attachments in email, and more. Apple, instead, usually funnels app downloading through its protected App Store.

But in an effort to court enterprises, Apple introduced a mechanism to distribute these homegrown apps to the thousands of employees an enterprise has through something called an enterprise provisioning profile. In simple terms, this profile allows an enterprise to push out their application to any user without needing to go through Apple's sometimes rigorous process of getting an app accepted to the App Store.

While this makes it easy for enterprises to distribute apps to employees, the enterprise provisioning profile unfortunately creates a situation where many enterprises actually bypass Apple's app vetting process, losing a layer of security.

In many instances, receiving applications outside of the official App Store, or what we call sideloading, causes users to encounter dialogue boxes they don't necessarily understand.

The world has a knee-jerk reaction to the pop-up: comply quickly, close it, do whatever you can to make it go away. It's the "next-next-next" mentality. Anything that interrupts a user's flow on the device is quickly dealt with in an effort to get back to the task at hand.

As enterprises have expanded their homegrown app offerings by the hundreds, employees are now receiving many more of these notifications on iOS devices and could be more likely to quickly move through them.

Why is this worrying? When users are too often exposed to these dialogues, they are conditioned to ignore important security warnings which could result in bad apps passing unnoticed onto devices, exposing enterprise networks to possible risk.

Consider this: not including attacks on jailbroken phones, most of the known iOS threats use enterprise provisioning profiles to access their target device. As an enterprise, you don't want those app download dialogue boxes becoming a nuance people ignore.

The need to think holistically

As the way we buy and use our mobile phones changes, so must the conversations around what is truly secure. Where once we could compare Android and iOS devices side-by-side, the ways they're being used and the new devices entering the landscape are adding nuances that can't be ignored.

Businesses and consumers alike are going to need to use a multi-layer approach to security. We can't rely solely on Google or Apple to police the app landscape and ensure their operating systems are buttoned up and without back doors. It will take many layers to filter out the mobile security risks. Traditional network security, device security, application security, on top of app vetting, will all work toward one common goal: a safer corporate network and protected personal data.

Aaron Cockerill is the vice president of products at Lookout, the global leader in mobile security, protecting more than 60 million users each day from mobile threats. Previously, he served as VP of mobile technologies at Citrix. Follow him on Twitter at @aaron_cockerill.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.